Thursday, July 17, 2014

OSB and the Load Balancer Source-IP (X-Forwarded-For)

If you configure correctly the Load balancer, OSB should be able to retrieve the actual Client (Originator) IP address:

tran:user-header name="Source-IP" value="10.56.164.149"

   <inbound>
      <con:endpoint name="ProxyService$PVLoadBalancerTest$PVLoadBalancerTestPS" xmlns:con="http://www.bea.com/wli/sb/context">
         <con:service/>
         <con:transport>
            <con:uri>/PVLoadBalancerTest/PVLoadBalancerTestPS</con:uri>
            <con:mode>request-response</con:mode>
            <con:qualityOfService>best-effort</con:qualityOfService>
            <con:request xsi:type="http:HttpRequestMetaData" xmlns:http="http://www.bea.com/wli/sb/transports/http" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
               <tran:headers xsi:type="http:HttpRequestHeaders" xmlns:tran="http://www.bea.com/wli/sb/transports">
                  <tran:user-header name="Source-IP" value="10.56.164.149"/>
                  <http:Accept-Encoding>gzip,deflate</http:Accept-Encoding>
                  <http:Content-Length>0</http:Content-Length>
                  <http:Content-Type>application/xml</http:Content-Type>
                  <http:Host>myhost.acme.com</http:Host>
                  <http:User-Agent>Jakarta Commons-HttpClient/3.1</http:User-Agent>
               </tran:headers>
               <tran:encoding xmlns:tran="http://www.bea.com/wli/sb/transports">iso-8859-1</tran:encoding>
               <http:relative-URI>PVLoadBalancerTest/PVLoadBalancerTestPS</http:relative-URI>
               <http:client-host>10.56.15.34</http:client-host>
               <http:client-address>10.56.15.34</http:client-address>
               <http:http-method>POST</http:http-method>
            </con:request>
            <con:response xsi:type="http:HttpResponseMetaData" xmlns:http="http://www.bea.com/wli/sb/transports/http" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
               <tran:headers xsi:type="http:HttpResponseHeaders" xmlns:tran="http://www.bea.com/wli/sb/transports">
                  <http:Content-Type>text/xml</http:Content-Type>
               </tran:headers>
               <tran:response-code xmlns:tran="http://www.bea.com/wli/sb/transports">0</tran:response-code>
            </con:response>
         </con:transport>
         <con:security>
            <con:transportClient>
               <con:username><anonymous></con:username>
            </con:transportClient>
         </con:security>
      </con:endpoint>
   </inbound>





while the http:client-host and the http:client-address refer to the Load Balancer IP address (fixed)

How the LB should be configured, I have little clue, I only know that they do a "Insert Src IP Addr..: Header field : "Source-IP"". See here for instruction for a specific product Citrix NetScaler .

this XPath will extract the info :

$inbound/ctx:transport/ctx:request/tp:headers/tp:user-header[@name='Source-IP']

In order to log this IP in the WebLogic access.log file, see document "How to obtain the correct Client IP address when a Physical Load Balancer and a Web Server Configured With Proxy Plug-in Are Between The Client And Weblogic (Doc ID 1375129.1)", where they explain the "Insert XForwardedFor" , the "WL-Proxy-Client-IP" and the "WebLogic Plug-In Enabled".

See also http://en.wikipedia.org/wiki/X-Forwarded-For

From the Console Help of "WebLogic Plug-In Enabled" I read:

Set this attribute to true if the cluster will receive requests from a proxy plug-in or HttpClusterServlet. When WeblogicPluginEnabled is true, a call to getRemoteAddr will return the address of the browser client from the proprietary WL-Proxy-Client-IP header, instead of the web server.

So I believe that the name of the header should be changed from "Source-IP" to "WL-Proxy-Client-IP" in order to be able to capture it.... too bad it's not configurable... no, wait, the doc says "Since 10.3.3 it is possible to configure a specific header that WLS will check when getRemoteAddr is called. That can be set on the WebServer Mbean.". It looks like they refer to this method.

One should then choose HTTP Logging as ELF (Extended Logging Format), by default the fields are "date time cs-method cs-uri sc-status". One should add cs(X-Forwarded-For) or cs(Source-IP) or whatever name you are using for the header.



From the Oracle DOC 1375129.1:


1. At weblogic end, you need to enable the "WebLogic Plug-In Enabled" This option can be set both at the cluster level or server level.

WebLogic Plug-In Enabled:

Set this attribute to true if the cluster will receive requests from a proxy plug-in or HttpClusterServlet. When WeblogicPluginEnabled is true, a call to getRemoteAddr will return the address of the browser client from the proprietary WL-Proxy-Client-IP header, instead of the web server.

For non-clustered servers that will receive proxied requests, this attribute may be set at the server level, on the Server > Configuration >General tab.

If you want to set it at cluster level, ex: Home >Summary of Servers >Summary of Clusters >new_Cluster_1 > General > Advanced

2. At the loadbalancer end, you need to creating HTTP profile and then enable "WL-Proxy-Client-IP: [IP::client_addr]" ,  and also enable "Insert XForwardedFor"
 




No comments: